Don't send me passwords
« previous post | next post »
Keith Allan has bravely outed himself as editor of the journal from which I recently received a thoroughly discourteous message sequence. I thank him for responding to the discussion, and for confirming that it was not about him pressing the buttons in the wrong order. The reason his fine journal (the Australian Journal of Linguistics) sent me a message sequence I found annoying and presumptuous is the design of the stupid ScholarOne Manuscript software. Let me explain a little more about the nature of my life (perhaps my experiences will find an echo in yours), the part that involves those arbitrary strings of letters and digits we are all supposed to carry around in our heads like mental sets of keys.
I have to keep a secret laptop file (it had better be secret — I can only hope I have hidden it well enough, since laptops do get stolen) containing more than a hundred triples consisting of URL, login name, and password or PIN that I have been issued with in pursuance of my many duties. Many of these accounts are for duties absolutely required of me in my university roles. Often there is no option to change either the login name or the password. (One of these also involved a complicated and entirely numerical login name. I was expected to use it the other day to fix a problem with student records entry that arose in 2005 at a university that I left in 2007. Apparently people expect you to keep in perpetuity these records of the unmemorizable passwords they give you.)
I simply hate being issued with new account names and passwords, to add to this burden. Yet these days a new one is obligatory for every association membership, email service, records database, blogger identity, banking arrangement, credit card, cellphone service, online purchase, loyalty program, travel agent, grant application, computer account, encryption system, or reviewing chore.
For many of them, I know, it is true that I would in principle be able to pick my way slowly through their "Edit my profile" page and figure out how to change the password to a standard one (not that they recommend it: security experts say you should have different passwords for every account!); but with over a hundred to work through, it would be hours of work, and I would still need to keep records of which ones I had changed so far, and what I had changed them to. There are widely differing rules regarding password composition: some (with no financial interest to protect) are ridiculously slack, and would accept "abcdef" (I even encountered one idiot organization that sent me an email confirming what password I'd chosen, and repeated it in their message, in plain text!), but others insist on something like "aQz&g9#B", with at least 8 characters and including case distinctions and non-alphabetics and embedded numerals, and repeatedly reject passwords until they get one they consider properly secure. I haven't got the five minutes to fiddle around with each such account and choose which memorized password to try and make it accept. I just hide the passwords in a file and look them up.
But this is not optimal, and I want to minimize the problem. So one thing I want to insist on is that no new accounts are set up for me without my permission. The ScholarOne/ManuscriptCentral software violates that tenet, and it then spams me to tell me it has done so! I find it infuriating. But the editor, I now learn, has no power to use the software without it behaving in this way. Thomson Reuters is to blame for what is apparently an uncustomizable piece of garbageware that editors everywhere are increasingly taking up in order to ease the intolerable burdens of their virtually unpaid work. But it is not the fault of the hard-working editors. I sympathize with Keith, and with others like him all over the world.
Tikitu said,
March 22, 2010 @ 6:05 am
I hesitate to suggest it since it might encourage signing you up for new accounts, but a password manager might make this a bit simpler. At least it would remove the worry about your laptop being stolen.
They store everything in an encrypted file, locked with a master password. Typically they let you organise things a bit (e.g. have a "2007" folder that you expect never to open), and push username/password to the clipboard for easy copy/paste. Also typically they will generate a strong password on request; since you don't have to remember the new password (it's in the manager), it doesn't matter that it's unreadable.
You need to be sure to backup the database, but I presume you do that with your text files already.
If you happen to run Gnome under linux, there's "Revelation". Plenty more for other platforms.
Antti-Juhani Kaijanaho said,
March 22, 2010 @ 6:13 am
No file is secret enough from a knowledgeable thief. What I've done myself, off and on, is send myself GnuPG encrypted emails containing the passwords. As long as my private key (and its own passphrase) remains secure, so do the passwords.
Russell Aminzade said,
March 22, 2010 @ 7:11 am
Let me reiterate what the others have suggested, and recommend a few very good password managers. I used to use Keepass which is free, open source, and cross-platform, but I recently moved to the equally free LastPass which besides being quite safe is also well integrated with most standard browsers. It replaces, for example, Firefox's own insecure password manager, then it kinda lurks in the background and automatically handles logins and all sorts of other web-based forms.
I'm not a salesman, so I'll direct you to the Wikipedia entries on these products, the product's home pages themselves (which I'm sure you can find). These have more detail.
JKD said,
March 22, 2010 @ 9:14 am
Hey, I've got an idea: Why not ignore the email?
They could set up a vacation home for you in Narnia. That doesn't mean you have to pay the mortgage.
Jens Fiederer said,
March 22, 2010 @ 9:20 am
There have been movements to reduce this clutter WITHOUT using the same password for multiple sites (the password being for one site that multiple other sites trust).
OpenId is not accepted everywhere yet, but the coverage is growing:
http://openid.net/
jack lecou said,
March 22, 2010 @ 9:26 am
There are encrypted online password managers now too — clipperz.com, for example, but I think there are others — so even a stolen laptop wouldn't be a problem (or one left at the office when you need to check your bank account from home).
The encryption is done in client-side javascript, so in principle it's entirely secure. You just need to remember one passphrase (and yes, you can keep a backup download of the data in case the service disappears).
John said,
March 22, 2010 @ 9:34 am
Get a Mac. :-)
Such a password manager is built in.
Richard said,
March 22, 2010 @ 10:06 am
@JKD
You can certainly always ignore it. But is that what you really want to do? Have another cyber identity floating around on the internet, with your name attached to it, that you have absolutely no control over?
Sure, financially they have no grounds over you, but it can sometimes open up a whole different can of worms.
Constant spams, other people trying to contact that profile and getting offended when not getting a response, potential identity theft if someone else created the profile…or simply the fact that your name is attached to a certain service or product that you may not want to have your name attached to. The list goes on.
Hate the internet yet?
peter said,
March 22, 2010 @ 11:12 am
An alternative approach is to create, not lots of separate passwords, but a single password-creation function (ie, a formula for generating passwords). So, for example, for each new password, you could use the first three characters of the url to which the password applies followed by the last three digits of your date of birth. That way, each password is unique AND you only have to remember the function, and not each password.
Shannon said,
March 22, 2010 @ 12:47 pm
Let me join the others in recommending a good password manager. I have used Roboform for the past three years and *love* it. The free version only lets you store a limited number of passwords, but I think it is well worth paying for the full version ($30, includes free upgrades for life).
Terry Collmann said,
March 22, 2010 @ 2:07 pm
The password system I hate is the one my bank now uses to guarantee/confirm online payments, which require me to enter a randomly generated pair of characters from my password, eg "Please enter the third and seventh characters from your password". The only way I can work out what the third and seventh characters of my password are is by WRITING MY PASSWORD DOWN. How secure is that …
I prefer Peter's method: one 'core' password element that is easy to remember, and a method of creating another element derived from the name of the site. It wouldn't take much brains to work out exactly what my password generating method was, given enough examples of passwords I use, but it does mean that someone watching over my shoulder as I type in one password wouldn't be able to use that same password to get into any other site.
fizzog said,
March 22, 2010 @ 2:44 pm
Yes, Roboform is excellent, and well worth the money. It does it all for you – problem solved!
Simon said,
March 22, 2010 @ 3:17 pm
The problem with password managers (and a text list "hidden" on your laptop) is that you can't, say, check your email on someone else's computer. If you lose that file or program (dropped a cup of coffee on your laptop?) then you're royally screwed.
I second what Peter said – use some generator. If I was logging into this website, I'd do something like take my standard password (say "1234"), and something to do with this website say ("languagelog"), and then combine then "1234languagelog". This should be ok for most sites. If you want to be more paranoid, then you could add a few more rules (replace every 5th character with an !, or generate an md5 hash and use that).
Rubrick said,
March 22, 2010 @ 3:20 pm
I even encountered one idiot organization that sent me an email confirming what password I'd chosen, and repeated it in their message, in plain text!
Only one? I'm quite surprised.
The current system is so hideously broken that I can't do much but laugh. The recommendations for choosing secure passwords essentially boil down to the following:
1. Make sure it's a sequence that's difficult to guess (and hence memorize)
2. Use a different sequence for each site
3. Never write any of them down
An approximate hypothetical equivalent in another sphere:
1. Always drive manual-transmission vehicles
2. Switch gears whenever the RPMs go above 3500 or below 1000
3. Keep both hands on the steering wheel at all times
Dan T. said,
March 22, 2010 @ 4:32 pm
I use eWallet on my iPhone to store my passwords; it has the advantage of being portable so that I can get to my passwords anywhere I need them, but the disadvantage of having no way to copy and paste them to a PC; I need to type them every time.
Banks tend to lead the way in being annoying in every possible way, coming up with convoluted schemes for usernames, passwords, PINs, and challenge-and-response questions/answers, plus periodically demanding "one-time" e-mail confirmation; they also use sessions that time out in absurdly short times, forcing you to log back in if you pause to get coffee or take a phone call, or even need a few minutes to read your online statement without clicking on anything; and they tend to have idiotic browser sniffing to reject you if you're not using one of the few currently trendy browsers they like.
Ingrid Jakobsen said,
March 22, 2010 @ 5:25 pm
I am a Mac user, and happy 1Passwd user. I have my passwords sync'd between my computer and phone, so as long as I have the phone with me, I can access things on unfamiliar machines.
Frans said,
March 22, 2010 @ 5:30 pm
I wrote a rant about password requirements a while ago. As I outline in there, my basic secure password consists of a sentence with certain standard modifiers. For instance, my password for this site could be
secure!LL.p4ssw0rd. The key in this example is:each a is replaced by 4
each o is replaced by 0
spaces are represented by dots except the first one (which is an exclamation mark)
at some standard point there is a site identifier
Note that I use something far less secure for the majority of forums (although mostly because I use it all over the place) and the like; this is merely for important things (bank account, electronic government-related stuff, etc.) I really, really hate it if I cannot use a secure password which I can remember at a place where I actually matters so that I actually have to write it down to remember. That scenario is what caused me to write the entry I linked to as I had yet again forgotten the password to my DigiD (Dutch digital identity). My secure password was too long. If there's any way to make passwords less secure it's to make them shorter if you ask me…
@Dan T:
"and they tend to have idiotic browser sniffing to reject you if you're not using one of the few currently trendy browsers they like"
You mean cutting-edige browsers like IE6 and Firefox 1.5? That tends to be my experience, at any rate.
Alissa said,
March 22, 2010 @ 6:53 pm
Here's one I got today from a certain university that shall remain nameless:
"Passwords may not contain dictionary words, various reserved words, or biographical information, either directly or with numbers or symbols meant to represent letters.."
What's worse is the words it kept objecting to aren't even words I had ever seen before and that I did not intend to be words. How in the world are you supposed to make a password you can remember?
Karen said,
March 22, 2010 @ 6:54 pm
The government mandated travel card bank insists you use IE. Period. I hate that.
Karen said,
March 22, 2010 @ 6:56 pm
Our IT guy at work suggested writing down the passwords and keeping the note in your wallet. You know how to protect that, and it won't be with your laptop if it gets stolen.
Of course, if your wallet gets stolen you won't have your passwords…
wren ng thornton said,
March 22, 2010 @ 6:57 pm
What's even worse, there are numerous sites which not only have lax password policies, but enforce the laxity by prohibiting symbols, numbers, etc! Thanks to them, there's no hope of being able to use the same password everywhere (not that you should be, but still).
Having worked in web development for a while, the only possible explanation for this is that they haven't figured out how to escape strings in order to store them in a database without interpreting the string as a command. There's no excuse whatsoever for this level of incompetence.
Richard said,
March 22, 2010 @ 7:23 pm
And for sites which insist on opening an account for no apparent reason (i.e. because they want your e-mail address to send you spam), there's always http://www.bugmenot.com/ if you want to be a tiny bit subversive.
Katherine said,
March 22, 2010 @ 8:10 pm
@Karen "Of course, if your wallet gets stolen you won't have your passwords…"
Yes, but if your wallet gets stolen, hopefully they won't know your username, or at least won't figure it out in time for you to change your passwords. And you'll know your passwords have been stolen.
So uh basically I agree.
Peter said,
March 22, 2010 @ 9:35 pm
I even encountered one idiot organization that sent me an email confirming what password I'd chosen, and repeated it in their message, in plain text!
I can think of two organisations that send me my username and password in every email they send me.
Another one I hate is a work system that rejects passwords if they contain dictionary words. This means that a ten character password I tried which happened to have consecutive letters 'c', 'a' and 't' was rejected. There's no way a brute-force dictionary-based algorithm would crack that particular one in under a year.
jc said,
March 22, 2010 @ 10:30 pm
Some time ago I read a nice bit of satire in which the set of rules for a password became so complex and restrictive that there was only one password that would satisfy them. But I've forgotten where I read it.
mattmc said,
March 22, 2010 @ 10:56 pm
Ask them to pass a request on to their developers to implement OpenID support. They may be looking for such an excuse to begin working on it.
Frans said,
March 23, 2010 @ 3:45 am
@wren ng thornton:
I do hope that by "escape strings" you mean "hash strings" (and hashes rarely need to be sanitized for DB input).
@Peter:
My ISP does. "It's time to pay us money again. Btw, your password is xxxxx"
Antti-Juhani Kaijanaho said,
March 23, 2010 @ 5:41 am
There are password generation programs that can create pronounceable passwords that satisfy most password criteria.
Fred3 said,
March 23, 2010 @ 7:18 am
With a password manager, you only have to remember one password.
The open-source password manager "Password Safe" is open source and recommended by several computer security experts. It is free. If you want you can put the whole thing on a key-chain USB stick with the ten dollar version. Provided, of course, you're not the kind of person who loses his keys.
See http://pwsafe.org/
Or you can encrypt it on the web instead; Your password system portable via browsers by using the "LastPass" system. This is not open-source so is not as widely inspected. This method is proof against hard drive failure, you can log on from a different computer. Lastpass also has other cool features you should read about.
Using LastPass is easier and more automatic than using Password Safe, but since it has more features it takes longer to learn and set up.
See https://lastpass.com/
Both programs have tools to automatically generate and remember complex passwords for you.
Other friends of mine like RoboForm.
There are other solutions. Your hidden-file solution is not safe.
Transferring the data from your current system to the software could be tedious, though.
There are also tools to encrypt single files on your hard drive. You can encrypt your password file, back it up somewhere, and then use the single password to decrypt it as needed. This is a poor-man's password manager. But you only have to remember the one password.
Stephen Jones said,
March 23, 2010 @ 11:19 am
If you use your files because your password is stolen you have a problem and need to get back up software immediately.
If you're worried about the passwords being found that's a different matter. One way is to encrypt the file, but then you will find you lose the password to unencrypt it.
Really there are only about four or five accounts where security matters. For all the others change to a standard password.
Incidentally one way of having memorable passwords is to base them on memorable events.
'Day and time I first lost my virginity'
'Date of birth of my first goldfish'
'Words that make Pullum freeze with anger'
Andrew Clegg said,
March 23, 2010 @ 12:17 pm
@Terry Collmann:
"The only way I can work out what the third and seventh characters of my password are is by WRITING MY PASSWORD DOWN. How secure is that …"
Huh?
You can follow the subtleties of a typical Language Log discussion, but not count through a sequence of characters in your head?
carla said,
March 23, 2010 @ 1:43 pm
One way of making a secure password that is not hard to remember:
* Choose a lyric from a favorite song. Example: "one pill makes you larger and one pill makes you small"
* Take the first letter from each word in the lyric. In this example, there are some numbers in the lyric so use the numerals instead: Example: 1pmyla1pmys
* This is probably already secure for most systems, but you can improve it still further by adding punctuation and capitalization. Here, there is a pause in the song after "larger" so I'd add a comma after that. Also, I'd capitalize the L, since capitalizing "larger" is not too hard to remember. Example: 1pmyL,a1pmys
* This is also probably longer than is needed – you could cut it at 1pmyL,a1 and have a good strong uncrackable yet memorable password.
* Another trick you can use to generate different but memorable passwords for each website is to append or prepend numerals corresponding to the number of letters in the website's name. So, for example, you could have
– Language Log (12 letters) – 1pmyL,a112
– Amazon (6 letters) – 1pmyL,a16
etc.
I hope this approach is helpful to some of you who despair of ever constructing strong, memorable, yet unique (or close to unique) passwords for each website.
Will said,
March 23, 2010 @ 6:17 pm
@Frans
I think thornton was thinking of a worst possible case. A developer that doesn't even know how to escape strings is probably also not aware that they should only be storing password hashes in the database.
@Stephen Jones
I think the second time I lost my virginity was more memorable, since it was such a self-contradictory event.
Glaurung_quena said,
March 24, 2010 @ 12:32 pm
1. Experts who say you should never write down your passwords are morons. I always write my passwords down, and keep the list in my wallet, next to my credit cards and bank card. If someone steals that, changing my passwords will be just one more thing I'll have to do to re-secure my life.
2. I have a method of generating passwords that enables me to remember a seemingly random string of letters and numbers — I might use the initial letters of a sentence I'll never forget (say a quotation or line from a song) plus a number I'll never forget. I've used this method to generate about half a dozen passwords which are very secure but which I never really need to look up (the paper in my wallet is just insurance).
3. Experts who say you should use a unique password for every different site are living in a past era when nobody had more than a couple of passwords. I have one password for email, one for my bank, another for my credit cards and for websites that store my credit card info, and finally a single password that I use on every other non-financial, non-sensitive information website out there.
Stephen Jones said,
March 25, 2010 @ 12:13 pm
Evidently failing to keep up with the wonders of medical science.
Ken Brown said,
March 25, 2010 @ 1:11 pm
Hey! I *am* a computer security expert! Stop knocking us! And no we don't (or some of us don't) say you need a different password for each site or service because we know we can;t remember them all and we can't bring ourselves to imagine that you are cleverer than us…
So, as others have said, segment your password space. Group things by how important they are to you. Have a default username and password pair you use for arbitrary irritating register-before-we-let-you-see-our-webpage sites, have three or four others for different kids of thing, and use the most secure passwords only for the most important stuff. Just like the military used to to (and for all I know still do)
Garrett Wollman said,
March 26, 2010 @ 12:08 am
What Ken Brown said.
I'd also point out that there's no particular reason, when using the "choose a random line of poetry" method of generating passwords, to abbreviate the words — just use the whole thing. (Assuming, of course, the site doesn't have any idiotic restrictions like "no spaces in the password" or "must be less than ten characters long" — both of which I've seen and both of which would cause me to refuse to trust that site for anything.) There's no real improvement in security by doing this (each additional word only adds a few bits of entropy in the limit as password length increases) but it does make it easier to remember, easier to type, and harder to shoulder-surf.
For stuff that's really important, I just use a secure PRNG (Yarrow) to generate a sufficient number of bits of pseudo-randomness — 48 random bits is probably more entropy than most people's passwords have. When converted to plain text, this expands to an eight-character string like "hDm4SlFn". If I use it enough, I won't have any trouble remembering it. And if I want something longer (perhaps when force-changing a user's password, to ensure that they change it), well, "1KjZFUhmW+OvPOS4" seems like a perfectly cromulent (pass)word.
Another trick that I used to use was to include control characters in my password. Sadly, this ceased to be possible as many Web browsers (having stolen the control characters for their own keyboard shortcuts rather than using meta-keys as God intended) make it impossible to enter them. (And I don't think it's possible to enter control characters on my smartphone's browser, either.)
Marit said,
April 11, 2010 @ 9:46 am
@Karen:
Write down you passwords and put them in the wallet. If you want more security, get (a random 4-digit) pin code you learn by heart and add to every password you have written down (but don't write down this pin code).